CHAPTER 1 Arithmetic and the Symmetric Group

CHAPTER 1

Arithmetic and the symmetric group

his chapter’s aim is to recall some results from arithmetic and to provide T some of their applications in computer science. We shall also give a couple of reminders about the symmetric group that we constantly use in Galois theory.

1.1 Reminder of arithmetic

1.1.1 Ring Z / nZ We recall here some results from arithmetic that are often used in the following chapters.

First, let us quote Bézout’s identity, an easy but fundamental lemma: if a and b are two coprime integers, then there exist two integers u and v such that au + bv = 1.

Given an integer n N×, we recall that the set of congruence classes modulo n is the set 0, 1,..., n∈ 1 , denoted by Z / nZ. This set is naturally endowed with a commutative{ ring− structure.} The generators of Z / nZ (as an additive group) are the classes m such that m and n are coprime. The additive group Z / nZ is isomorphic to the multiplicative group of nth complex roots of unity. Let us also recall that a class m is invertible if and only if m and n are coprime, and that, otherwise, m divides 0. Finally, Z / pZ is a ﬁeld if and only if p is a prime number; in that case, we set Fp = Z / pZ.

810151_.pdf 21 10/14/2016 10:52:42 AM 4 CHAPTER 1. ARITHMETIC AND THE SYMMETRIC GROUP

The Chinese remainder theorem asserts that if m and n are coprime, then the rings Z / mnZ and Z / mZ Z / nZ are isomorphic. ×

1.1.2 Groups and Euler’s totient function

Let G be a group whose identity element is denoted by e. We recall that an element g G has finite order if there exists an integer n N× such that n ∈ n ∈ g = e. The smallest integer n N× such that g = e is called the order of g and denoted by o(g). The cardinality∈ of a finite group is also called the order of the group. This notion is the same as the previous definition of the order in the case of a finite cyclic group, i.e., a finite group that is generated by a single element.

The basic (but fundamental) result about the order is Lagrange’s theorem, which states that the order of every element in a finite group divides the group’s order. Let us provide an application of this theorem that will be used later: if two elements g1 and g2 commute and have finite and coprime orders m1 and m2, then the order of g1g2 is the product of their orders. In fact, the m1m2 identity (g1g2) = e shows that the order of g1g2 divides m1m2. Con- q q q versely, if q N× satisfies (g g ) = e, the element g− = g belongs to the ∈ 1 2 2 1 group g1 g2 . By Lagrange’s theorem, its order divides m1 and m2, thus it h i ∩ h i q is equal to 1, and we have g1 = e. Therefore, m1 divides q; in the same way, m2 divides q, thus m1m2 divides q.

Let us also quote another interesting result that we will use later: Cauchy’s theorem asserts that if a prime number p divides the order of a ﬁnite group G, then G contains an element of order p.

Let now G be a finite group that acts on a finite set X. For every x X, we denote by G x the orbit of x and G the stabilizer of x in G. The map ψ∈from G · x to G x defined by ψ(g) = g x induces a one-to-one correspondence from G/Gx · · G onto G x, hence the identity G x = |G | . The set of all orbits is a partition of · | · | | x| X, thus if we denote by O1,...,Or the distinct orbits of X under the action of G, then we have X = O + + O . This formula is called the class equation. | | | 1| ··· | r|

For every g G, we deﬁne the stabilizer of g by fixg := x X / g x = x . Then we have∈ Burnside’s lemma: { ∈ · }

1 r = fix . G | g| g G | | X∈

810151_.pdf 22 10/14/2016 10:52:42 AM 1.1. REMINDER OF ARITHMETIC 5

In fact, let us consider the set F := (g, x) G X / g x = x . Then we { ∈ × · } have F = fix , and | | | g| g G X∈

r r G F = Gx = Gx = | | = r G , | | | | | | Oj | | x X j=0 x O j=0 x O X∈ X X∈ j X X∈ j | | and we get the result. For every n N 0, 1 , we denote by ϕ(n) the number of invertible elements in Z / nZ. We∈ also\{ set}ϕ(1) = 1. The Euler’s totient function is the map ϕ from N× to N× such that the number ϕ(n) is the order of the group (Z / nZ)×. It follows from the Chinese remainder theorem that if n1, . . . , nr are numbers that are pairwise coprime, then ϕ(n1 . . . nr) = ϕ(n1) . . . ϕ(nr). If p is a prime number, then Z / pZ is a ﬁeld, thus ϕ(p) = p 1. If α N, then ϕ(pα) is the number of elements in the set [[0, pα 1]] that are− coprime∈ to pα. These elements α − α 2 α are the elements of the set [[0, p 1]] 0, p, 2p, . . . , p − p , hence ϕ(p ) = α α 1 − \{ α1 } α p p − . Finally, if n N× can be written as n = p . . . p r , where the − ∈ 1 r p1, . . . , pr are distinct prime numbers, then

r r α α 1 1 ϕ(n) = p j p j − = n 1 . j − j − p j=1 j=1 j Y Y

Let a be an integer that is coprime to n. Then a belongs to (Z / nZ)×, thus by Lagrange’s theorem, aϕ(n) = 1, i.e., aϕ(n) 1 mod n. This result is called Euler’s theorem. Fermat’s little theorem follows≡ if we take a prime number p: p 1 in this case, we have ϕ(p) = p 1, thus if a and p are coprime, then a − 1 mod p. − ≡

Finally, let us provide an application of Fermat’s little theorem that will be useful later.

Lemma 1.1.1 Let a, l be two integers and p, q be two distinct prime numbers. 1+l(p 1)(q 1) Then a − − a mod pq. ≡

Proof: First, let us consider two cases. l(p 1)(q 1) l(q 1) p 1 — If p does not divide a, then a − − = a − − 1 mod p according to Fermat’s little theorem. ≡ 1+l(p 1)(q 1) — If p divides a, then a − − 0 a mod p. ≡ ≡

810151_.pdf 23 10/14/2016 10:52:42 AM 6 CHAPTER 1. ARITHMETIC AND THE SYMMETRIC GROUP

1+l(p 1)(q 1) Therefore, in both cases we have a − − a mod p. In the same way, 1+l(p 1)(q 1) ≡ we have the relation a − − a mod q. This shows that both p and q 1+l(p 1)(q 1) ≡ divide a − − a. As p and q are distinct prime numbers, their prod- − 1+l(p 1)(q 1) uct pq also divides the number a − − a and we are done. − We have the relation n = ϕ(d), called Euler’s formula. In fact, for every d n 1 X| positive divisor d of n, let us set Fd := k [[0, n 1]] / k n = d n n { ∈ − k ∧ } and F ′ := k [[0, 1]] / k = 1 . Then the map k is a one-to-one d { ∈ d − ∧ d } 7→ d correspondence from Fd onto Fd′ , whose inverse function is the map l dl. n 7→ Therefore, Fd = Fd′ = ϕ d . As the set Fd / d n is a partition of [[1, n]], we have | | | | { | } n ϕ(e) = ϕ = F = n. d | d| e n d n d n X| X| X| Let us recall a result about the structure of ﬁnite cyclic groups. Its proof makes use of the previously stated methods.

Proposition 1.1.2 If G is a ﬁnite cyclic group of order n, then for every divisor d of n, G possesses a unique subgroup of order d.

Proof: Let G := x be a ﬁnite cyclic group of order n. For every j [[0, n 1]], the hj i n ∈ − order of x is n j . Then the number of elements of order d is the cardinality ∧ n d of the set j [[0, n 1]] / j n = d . Moreover, the map j j n is a one- { ∈ − ∧ } n 7→ to-one correspondence (its inverse function is l l d ) between this set and the set l [[0, d 1]] / l d = 1 . Hence the number7→ of elements of order d is ϕ(d). n { ∈ − d∧ } n Furthermore, y := x has order n n = d. Let H := y be the subgroup of G d h i generated by y. Then the number∧ of elements of order d in H is the cardinality of the set l [[0, d 1]] / l d = 1 , i.e., ϕ(d). Thus H contains all the elements of order d{. ∈ − ∧ }

The following theorem is a consequence of Euler’s formula.

Theorem 1.1.3 Every finite subgroup of the multiplicative group of a field K is cyclic. n In particular, for n N×, the set of roots of X 1 in K is a finite cyclic ∈ − subgroup of K× whose order divides n. This group is called the group of nth roots of unity of K.

1Unless expressly stated otherwise, all the divisors of integers considered in this book are assumed to be positive. In the same way, “d n” means that d is a positive divisor of n. |

810151_.pdf 24 10/14/2016 10:52:42 AM 1.1. REMINDER OF ARITHMETIC 7

Proof: Let G be a subgroup of order n of K×. Let us denote by ψ(d) the number of elements of order d in G. Then either ψ(d) = 0 or ψ(d) = ϕ(d). In fact, if there exists x G of order d, then x is included in the set of roots of Xd 1 in K. As K is∈ an integral domain,h byi proposition 2.1.5 Xd 1 has at most− d roots in K, hence x is the set of all roots of Xd 1 in K.− Therefore, according to the proof ofh propositioni 1.1.2, we have ϕ(d)− = ψ(d). In particular, for every d that divides n, we have ψ(d) ϕ(d). Since n = ϕ(d) = ψ(d), we ≤ d n d n get ϕ(d) = ψ(d) for every d that divides n. Finally,| as ψ(n) = |ϕ(n) = 0, P P there exists an element y in G of order n. Since the order of G is n6 , we have G = y . | | h i

For example, for every prime number p, Fp× is a ﬁnite cyclic group of order p 1. Let us also note that the order of the group of nth roots of unity depends− on the ﬁeld K: in fact, there are n nth roots of unity in C, whereas there are only one or two nth roots of unity in R (it depends on the parity of n).

There exists no general method to ﬁnd explicit generators of Fq×. However, the following result enables us to obtain such generators in some cases.

Theorem 1.1.4 (Lucas) n 1 Let n N× and a Z× such that a − 1 mod n, and such that for every ∈ ∈ n−1 ≡ prime number p that divides n 1, a p is not congruent to 1 modulo n. Then n − is a prime number and a is a generator of (Z / nZ)×.

Proof: n 1 Let us denote by o(a) the order of a in Z / nZ. As a − 1 mod n, o(a) divides n 1. Let us prove by contradiction that o(a) = n ≡1: if o(a) = n 1, n 1 − n 1 − 6 − then o(−a) > 1, thus o(−a) possesses a prime factor p. Consequently, there ex- n 1 n−1 o(a) c c ists c N× such that − = cp. Then a p = (a ) 1 1 mod n. ∈ o(a) ≡ ≡ This is in contradiction to the hypothesis, so that o(a) = n 1. Therefore, − since (Z / nZ)× n 1, a generates (Z / nZ)× and we have (Z / nZ)× = n 1. | | ≤ − | | − Finally, (Z / nZ)× is a ﬁeld, and n is necessarily prime.

To ﬁnd explicit generators a of (Z / nZ)×, we try the positive integers a = 2, 3, 4, 5,... n 1 — If a − is not congruent to 1 modulo n, then by Fermat’s little theorem, n is not a prime number. n 1 n−1 — If a − is congruent to 1 modulo n, then we compute bp := a p mod n for every prime number p that divides n 1. If none of the b is congruent to 1 − p modulo n, then n is a prime number and a is a generator of (Z / nZ)×.

810151_.pdf 25 10/14/2016 10:52:42 AM 8 CHAPTER 1. ARITHMETIC AND THE SYMMETRIC GROUP

1.2 Cryptography

We introduce here two methods of cryptography, as applications of results from arithmetic. Let us consider an example to understand the principle of cryptography: Alice wants to send the message “HAVE A NICE VACATION” to Bob. To make her text diﬃcult to intercept by a third party, she will encrypt it by making use of an encryption key. Bob should be able to easily decrypt the received message thanks to a decryption key (which may be the same as the encryption key).

To write the message, we ﬁx an alphabet of cardinality l whose letters are numbered from 0 to l 1. For example, we may take − = A, B, C, D, E, F, G, H, I, J,K, L,M, N, A { O, P, Q, R,S, T,U,V, W, X,Y, Z, xy , } with l = 27.

We will explain both methods by programming them with Maple. First we deﬁne the alphabet and the message to send. A alphabet:="ABCDEFGHIJKLMNOPQRSTUVWXYZ "; l:=length(alphabet); message:="HAVE A NICE VACATION";

1.2.1 RSA RSA is a public-key cryptosystem that was invented in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman (the name “RSA” comes from the ﬁrst letter in each of their surnames), and it is currently the most widely used system for secure data transmission.

1.2.1.1 Construction of the keys Bob fixes two distinct prime integers p and q that he keeps secret. He denotes their product by a = pq and sets ω = (p 1)(q 1). The number a is made public by Bob whereas ω is kept secret.− As the− prime factors of a are not publicly known, ω is difficult to compute. Bob also fixes an integer m that is coprime to ω and he makes m public. Since m is coprime to ω, m is invertible modulo ω (according to Bézout’s identity), and its inverse k modulo ω can be computed thanks to the extended Euclidean algorithm.

The ordered pair (a, m) is the encryption key of Bob, which can be published in a directory in front of the name “Bob.” One says that RSA is a public-key cryptosystem because everybody knows the encryption key.

810151_.pdf 26 10/14/2016 10:52:42 AM 1.2. CRYPTOGRAPHY 9

As for the decryption key of Bob, it is the ordered pair (a, k).

If Bob chooses p = 15 485 863 and q = 15 502 177, then a = 240064589223751 and ω = 240064558235712. Then he chooses m = 5, so that Bob’s key is the ordered pair (240064589223751, 5).

The inverse of m modulo ω is k = 96025823294285, and this number is kept secret.

p:=15485863; q:=15502177; a:=p*q; omega:=(p-1)*(q-1); m:=5; igcd(5,omega); k:=1/m mod omega;

1.2.1.2 Encryption of the message To send her message “HAVE A NICE VACATION” to Bob, Alice proceeds in three steps. — She replaces each letter of the message with its number in the alphabet, and gets a list of integers between 0 and l 1. — This list can be seen as the string of− digits of an integer in base l. Then she converts this list into the list of digits of this integer in base a. In this way, she gets a list L of integers between 0 and a 1. 0 − — She raises each element of this list to the power m modulo a: this list L1 is the encrypted message that Alice sends to Bob.

Let us note that if a third party gets the number a, he must factor a into prime numbers2 to obtain p and q. Then he can deduce ω and k.

number:=proc(c) if member(c,convert(alphabet,list),’i’) then i-1 fi: end proc: letter:=proc(n) alphabet[n+1]; end proc: RSAencryption:=proc(msg,mm,MM) local n,L; n:=length(msg): L:=[seq(number(msg[j]),j=1..n)]: L:=convert(L,base,l,MM): L:=[seq(Power(L[j],mm) mod MM,j=1..nops(L))]: end proc:

encryptedmsgRSA:=RSAencryption(message,m,a);

The encrypted message is L1 = [78927236079698, 172573424333438].

2Integer factorization is a diﬃcult problem. Several algorithms exist, such as Pollard’s algorithm or the Lenstra elliptic curve factorization method, but none of them is eﬃcient enough.

810151_.pdf 27 10/14/2016 10:52:42 AM 10 CHAPTER 1. ARITHMETIC AND THE SYMMETRIC GROUP

1.2.1.3 Decryption of the message The following proposition will enable us to decrypt the message. Proposition 1.2.1 For every integer x, we have (xm)k x mod a. ≡ Proof: Let us show that (xm)k x mod a. By hypothesis, we have mk 1 mod ω, i.e., there exists l Z such≡ that mk 1 = l(p 1)(q 1). Then,≡ according to ∈ m k mk − 1+l(p 1)(−q 1) − lemma 1.1.1, we have (x ) = x = x − − x mod a . ≡

When Bob gets this message (i.e., the list L1), he also proceeds in three steps to decrypt it. — He raises each element of the list to the power k modulo a, and according to proposition 1.2.1 he obtains the list L0. — This list can be seen as the string of digits of an integer in base a. Then he converts this list into the list of digits of this integer in base l. — Finally, he replaces each number of this list with the matching alphabet letter, and obtains “HAVE A NICE VACATION.” This message is always well appreciated! RSAdecryption:=proc(L,kk,MM) local n,Lbis: n:=nops(L): Lbis:=[seq(Power(L[j],kk) mod MM,j=1..n)]: Lbis:=convert(Lbis,base,MM,l): Lbis:=[seq(letter(Lbis[j]),j=1..nops(Lbis))]: cat(op(Lbis)); end proc: RSAdecryption(encryptedmsgRSA,k,a); "HAVEANICEVACATION" −→

Be careful if you send the same message to two friends whose keys (a1, m1) and (a2, m2) are such that m1 and m2 are coprime! According to Bézout’s identity, there exist two integers u1 and u2 such that u1m1 + u2m2 = 1, hence x = (xm1 )u1 (xm2 )u2 , and the message can be easily decrypted by a third party!

1.2.2 Elgamal encryption system

Let p be a prime number, g a generator of (Z/pZ)×, and h an element of (Z/pZ)×. The discrete logarithm problem consists of ﬁnding λ [[0, p 1]] such that h gλ mod p. The diﬃculty3 of this problem is the key of∈ the Elgamal− system≡ that we are going to describe.

3The discrete logarithm problem is a diﬃcult problem. The naive algorithm that consists of trying all the values of λ [[0, p 1]] has a time complexity of order O(n). The Shanks’ ∈ −

810151_.pdf 28 10/14/2016 10:52:42 AM 1.2. CRYPTOGRAPHY 11

1.2.2.1 Construction of the keys The Elgamal encryption system is based on a shared secret key. If a third party intercepts an encrypted message, they must solve the discrete logarithm problem to ﬁnd the key and decrypt the sent message. — To construct his key, Bob chooses a prime integer p and a generator g of (Z/pZ)× and he makes them public. He also chooses an integer a in [[2, p 2]] that he keeps secret. He makes the number x := ga mod p public, so− that Bob’s public encryption key is (p, g, x). — In the same way, Alice chooses an integer b in [[2, p 2]] that she keeps secret. As for the number y := gb mod p, it will be sent along− with the encrypted message. — Finally, Alice and Bob compute the number gab, which is their shared secret key.

1.2.2.2 Encryption of the message To send her message “HAVE A NICE VACATION” to Bob, Alice proceeds in three steps (the ﬁrst step is the same as for RSA). — She replaces each letter of the message with its number in the alphabet, and gets a list of integers between 0 and l 1. — This list can be seen as the string of− digits of an integer in base l. Then she converts this list into the list of digits of this integer in base p. In this way, she gets a list L0 of integers between 0 and p 1. — For each element m of this list, she computes− z := mxb mod p and obtains a new list L1. The ordered pair (L1, y) is the encrypted message that Alice sends to Bob.

If a third party intercepts the ordered pair (L1, y), as the generator g is public, he knows the relation y gb mod p. Thus he must solve the discrete logarithm problem to obtain b. Then≡ he is able to compute k xb mod p since x is public, 1 ≡ and he can ﬁnally calculate m zk− mod p. ≡ p:=ithprime(2000*1000); with(RandomTools): with(numtheory): do g:=Generate(integer(range=2..p-1)); if order(g,p)=p-1 then break fi: od:

We get p = 32 452 843 and g = 22 393 191.

algorithm (baby-step giant-step), which is more eﬃcient, solves the discrete logarithm problem with a complexity of order O(√n): we ﬁx ω [[0, p 1]], close to √n, and by the Euclidean ∈ − division we write λ = ωλ1 + λ0, with λ0 [[0, ω 1]]. In this way, the equation to solve λ ωλ ∈ − is g 0 hg− 1 mod p, where the unknown is the ordered pair (λ0, λ1). Then we write ≡ λ0 2 ω 1 n the list (g )λ [[0, ω 1]] = (1, g, g , . . . , g − ), and for every λ1 [[0,E( )]], we determine 0∈ − ∈ ω whether gλ0 hg ωλ1 mod p. ≡ −

810151_.pdf 29 10/14/2016 10:52:42 AM 12 CHAPTER 1. ARITHMETIC AND THE SYMMETRIC GROUP

EGencryption:=proc(msg::string,p::posint,bb::posint,gg,xx) local n,L; n:=length(msg): L:=[seq(number(msg[j]),j=1..n)]: L:=convert(L,base,l,p): L:=[[seq(L[j]*Power(xx,bb) mod p,j=1..nops(L))], Power(gg,b) mod p]: end proc:

a:=165; b:=744; x:=Power(g,a) mod p; y:=Power(g,b) mod p; x = 6 423 741, y = 27 512 765 encryptedmsgEG:=EGencryption(message,p,b,g,x);−→

The encrypted message is [[2799068, 20858626, 16585434, 9795925], 27512765].

1.2.2.3 Decryption of the message

When Bob gets this message (i.e., the ordered pair (L1, y)), he proceeds in four steps to decrypt it (the last step is the same as for RSA). — He computes k := ya gab xb mod p. ≡ ≡ 1 — For each element z of the list L1, he computes m := zk− mod p and, by deﬁnition of k, he obtains the list L0. — This list can be seen as the string of digits of an integer in base p. Then he converts this list into the list of digits of this integer in base l. — Finally, he replaces each number of this list with the matching alphabet letter, and obtains “HAVE A NICE VACATION.”

EGdecryption:=proc(doubleL,p,aa,gg) local k,Lbis,L,y; L:=doubleL[1]: y:=doubleL[2]: k:=Power(y,aa) mod p: Lbis:=[seq(L[j]/k mod p,j=1..nops(L))]: Lbis:=convert(Lbis,base,p,l): Lbis:=[seq(letter(Lbis[j]),j=1..nops(Lbis))]: cat(op(Lbis)); end proc:

EGdecryption(encryptedmsgEG,p,a,g); "HAVEANICEVACATION" −→ 1.3 The symmetric group

1.3.1 Permutations and system of generators of Sn In this paragraph, we study the symmetric group4; this is the group of bijec- tions from [[1, n]] onto itself, and it is extremely important. In fact, by Cayley’s

4For a funny introduction to the symmetric group, see [Ste86].

810151_.pdf 30 10/14/2016 10:52:43 AM 1.3. THE SYMMETRIC GROUP 13

theorem, for every ﬁnite group G, the map g τg, where τg : h gh is the translation on the left by g, is an injective group7→ homomorphism from7→ G to the symmetric group S G . In this way, G can be seen as a subgroup of S G . | | | | Let us recall a fundamental result: every permutation factors into a product of disjoint cycles and this factorization in unique, up to the order of the factors. Given σ Sn, we can write it as σ = c1 . . . cr, where every cj is a kj -cycle, with k k ∈ k 1 and k + + k = n. In this way, we can associate 1 ≥ 2 ≥ · · · ≥ r ≥ 1 ··· r to every permutation σ Sn the partition (k1, . . . , kr) of the integer n. This partition is called the type∈ of the permutation. We can also denote the type of the permutation by ( ) ... ( ). For example, the type (3, 2, 2, 1) in S8 can be denoted by ( )(·· )( )(···) or even ( )( )( ). We also recall that two permutations are conjugated··· ·· ·· if· and only··· if they·· ·· have the same type. This induces a bijection from the set of conjugacy classes of Sn onto the set of partitions of n. The number5 of permutations having the same type is given by the formula

n! n , Nk k Nk! kY=1

where, for k [[1, n]], Nk is the number of k-cycles of the permutation (i.e., of its type). ∈

We immediately deduce the order of the stabilizer (Sn)σ of every permutation σ Sn: ∈ n (S ) = kNk N !. | n σ| k kY=1 Let us provide some systems of generators of Sn. First, the transpositions generate Sn: in fact, every permutation can be written as a product of disjoint cycles, and every k-cycle can be written as

(i1, . . . , ik) = (i1, . . . , ik 1)(ik 1, ik) = (i1, i2) ... (ik 1, ik). − − − Then, the simple transpositions (i.e., of the form (j, j + 1) with j [[1, n 1]]) 1 ∈ − generate S : in fact, we have (i, j) = c(j 1, j)c− with n − c = (i, i + 1, . . . , j 1) = (i, i + 1)(i + 1, i + 2) ... (j 2, j 1). − − − 5To compute this number, we can proceed in this way: we begin by systematically ﬁlling n cases: this provides n! possibilities. Then we count the repetitions: without changing the N order of the k-cycles, there are k k repetitions; moreover, for every k [[1, n]], there are Nk! permutations of the order of the k-cycles. Hence the formula. ∈

810151_.pdf 31 10/14/2016 10:52:43 AM 14 CHAPTER 1. ARITHMETIC AND THE SYMMETRIC GROUP

Finally, the two permutations t := (1, 2) and c := (1, 2, . . . , n) also gener- 1 2 2 n 2 n+2 ate S : we have ctc− = (2, 3), c tc− = (3, 4), . . . , c − tc− = (n 1, n). n − If n 3, the center of S (i.e., the group of elements in S that commute with ≥ n n all the elements of Sn) reduces to the identity element. In fact, let σ Sn id . Then there exists i [[1, n]] such that j := σ(i) = i. Let k [[1,∈ n]] \{i, j}, and τ := (j, k). Then∈ στ(i) = σ(i) = j, τσ(i) = τ(6 j) = k, thus∈στ = τσ\{and }σ 6 does not belong to the center of Sn.

The sign of a permutation σ is deﬁned by ε(σ) = ( 1)inv(σ), where inv(σ) is 6 − k 1 the number of inversions of σ. For example, the sign of a k-cycle is ( 1) − . A permutation is said to be even (resp. odd) if its sign is 1 (resp. 1).− − We recall that the sign ε is the unique group epimorphism from Sn onto 1, 1 . Consequently, the group of even permutations is the only subgroup of{ index− }2 in Sn. It is called the alternate group and it is denoted by An.

If n 3, then the 3-cycles generate A : in fact, the products of an even number ≥ n of transpositions generate An; and we have (i, j)(j, k) = (i, j, k), (i, j)(i, k) = (i, k, j) and (i, j)(k, l) = (i, j)(i, k)(i, k)(k, l) = (i, k, j)(i, k, l).

1.3.2 Simplicity of An for n ≥ 5 Let us recall that a group G is said to be simple if it does not reduce to the identity element and if it possesses no proper nontrivial normal subgroup. In this paragraph, we state and prove an important result about An: An is simple for n 5. The proof of this theorem has two steps: in the ﬁrst one, we show that the group≥ A is simple, and in the second one we study the case where n 6. 5 ≥ Lemma 1.3.1 If n is greater than or equal to 5, then the 3-cycles are conjugated in An.

Proof: Let us consider two 3-cycles c := (a1, a2, a3) and d := (b1, b2, b3). We can write [[1, n]] = a1, . . . , an = b1, . . . , bn , and we deﬁne a permutation σ { } { } 1 by σ(aj ) = bj for every j [[1, n]]. If ε(σ) = 1, then d = σcσ− with σ An. ∈ 1 ∈ Otherwise, we set σ := (an 1, an)σ, so that d = σcσ− with σ An. − ∈ e e e e Theorem 1.3.2 (Galois) The group A is simple for n 5. n ≥

6The number inv(σ) is the order of the set (i, j) [[1, n]]2 / i < j and σ(i) > σ(j) . { ∈ }

810151_.pdf 32 10/14/2016 10:52:43 AM 1.3. THE SYMMETRIC GROUP 15

Proof: There are 60 elements in A5: the identity element (type ( )), 15 elements of order• 2 (type ( )( )), 20 elements of order 3 (type ( )), and· 24 elements of order 5 (type ( ·· ·· )). ··· ·····

According to lemma 1.3.1, the elements of order 3 are conjugated in A5. It is the same for the elements of order 2. In fact, if c := (a1, a2)(a3, a4)(a5) and d := (b1, b2)(b3, b4)(b5) are two elements of order 2, then there exists as above a permutation σ A5 such that σ(a1) = b1, σ(a2) = b2, and σ(a5) = b5. 1 ∈ Then σcσ− = d. Let us now consider a subgroup H that is normal in A5 and diﬀerent from id . If H contains an element of order 3, then it contains all the elements of{ order} 3. In the same way, if H contains an element of order 2, then it contains all the elements of order 2. If now H contains an element of 7 order 5, then it contains the 5-Sylow subgroup of A5 generated by this element. Moreover, all the 5-Sylow subgroups are conjugated, and H is normal in A5, thus H contains all the 5-Sylow subgroups, hence all the elements of order 5. If H contains, in addition to id, only one of the three types of elements cited above, then we have either H = 24 + 1 = 25 or H = 21 or H = 16. This | | | | | | contradicts Lagrange’s theorem, according to which H divides A5 = 60. Con- sequently, H contains at least two of the types of elements| | cited| above,| and we have H 20 + 15 + 1 = 36, thus H = 60 since H divides 60. Finally, we | | ≥ | | | | have H = A5, which shows that A5 is simple.

Let us now study the case where n 6: let H be a normal subgroup of An that •is different from id . Let us set I ≥:= [[1, n]]. There exists an element σ H different from id,{ thus} there exists a I such that b := σ(a) = a. As ∈n is greater than or equal to 4, there exists∈ c I such that c does6 not belong ∈ 1 1 to the set a, b, σ(b) . Let us set τ := (a, c, b) An, and ρ := τστ − σ− . 1 { } 1 1 ∈ 1 1 Then τ − = (b, c, a), ρ = (τστ − )σ− belongs to H, and ρ = τ(στ − σ− ) = (a, c, b)(σ(b), σ(c), σ(a)). As σ(a) = b, the set J := a, c, b, σ(b), σ(c), σ(a) { } contains at most five elements, and we have ρ(J) = J and ρ I J = idI J . We can assume that J = 5, possibly after adding some elements to| \J. We have\ ρ = id | | 1 6 (ρ(b) = τ(σ(b)) = b because otherwise σ(b) = τ − (b) = c, which is a contradiction). 6

The set AJ of even permutations of J can be identified with the group A5, and the map j : α α, defined by α J = α and α I J = idI J , is an injection | | \ \ 7→ 1 from A to A . Let us set H := j− (H) = u A / u H = H A . J n { ∈ J ∈ } ∩ J Then H is normal ine AJ and it doese not reduce toe the identity element because ρ J belongs to H and ρ J =bidJ . As AJ A5 is simplee (first part of the | | 6 ≃ proof),bH = AJ . b 7 See paragraphb 7.1.1.

810151_.pdf 33 10/14/2016 10:52:43 AM 16 CHAPTER 1. ARITHMETIC AND THE SYMMETRIC GROUP

Now let α be a 3-cycle in A . Then α H, thus α H. Moreover, α is also a J ∈ ∈ 3-cycle, and all the 3-cycles are conjugated in An, hence all the 3-cycles are in H since H is normal in An. As the 3-cyclesb generatee An, then we haveeH = An: this completes the proof.

Corollary 1.3.3 For n 5, the only normal subgroups of S are id , A and S . ≥ n { } n n Proof: If H is normal in Sn, then H An is normal in An, thus by theorem 1.3.2, we have H A = A or H A ∩= id . In the ﬁrst case, we have H = A or ∩ n n ∩ n { } n H = Sn. In the second case, the sign ε induces a group isomorphism from H onto ε(H) 1, 1 , hence H 2. If H = 2, we have H = id, σ , ⊂ { − } | | ≤ | | {1 } with σ = id. Let τ Sn. As H is normal in Sn, we have τστ − H, 6 1 ∈ 1 ∈ and τστ − = id, thus τστ − = σ, i.e., σ belongs to the center of Sn. This is absurd since6 the center of S reduces to the identity element for n 3. n ≥ Let us also note that every subgroup H of index 2 in a group G is necessarily normal in G: in fact, there are two right cosets (H and Hx) and two left cosets (H and yH) modulo H. In this way, we have Hx = yH, then Hx = Hy (in fact, if Hx = H, we have x H, which is impossible), hence yH = Hy. ∈

1.4 Exercises

Exercise 1.4.1 (Fermat numbers) Show that if 2n +1 is a prime number, then n is a power of 2. We call a number j of the form F := 22 + 1 for j N a Fermat number. The numbers F ,...,F j ∈ 0 4 are prime, but F5 = 641 6 700 417 is not prime (this last result was proved by Euler). ×

Solution If n is not a power of 2, then n has at least an odd prime factor p. In this way, there exists q N such that n = pq. Then 2n +1 = (2q )p +1 = (2q +1)((2q )p 1 +(2q )2 2q +1) ∈ × − −· · · − is divisible by 2q + 1, thus 2n + 1 is not prime.

Exercise 1.4.2 (Mersenne numbers) Show that if an 1 is a prime number, then a = 2 and n is a prime number. − n We call a number of the form Mn := 2 1 with n prime a Mersenne number. The numbers M ,M ,M ,M are prime,− but M = 23 49 is not prime. 2 3 5 7 11 ×

810151_.pdf 34 10/14/2016 10:52:43 AM 1.4. EXERCISES 17

Solution We have an 1 = (a 1)(1 + a + + an 1). Since an 1 is prime, we have a 1 = 1, − − ··· − − − i.e., a = 2. Let us write n as n = pq. Then 2n 1 = (2q )p 1, thus 2q 1 divides 2n 1. − − − − As 2n 1 is prime, we have either q = 1 or q = n, which shows that n is prime. −

Exercise 1.4.3 (“Classical” arithmetic) Two Jesuits, Ignace and John, meet three Jansenists during a walk through the countryside. John asks Ignace for their ages. Ignace answers him that the product of their ages is equal to 2 450 and that the sum of their ages is equal to twice his own age. He also tells him that he is older than they are. How old are the Jansenists, and how old is Ignace?

Solution Let us denote by x, y, z the ages of the three Jansenists and l Ignace’s age. We have xyz = 2 450, x + y + z = 2l and x < l, y < l, z < l. We also have 2 450 = 72 52 2. × × As x + y + z is even, either the three numbers x, y, z are even, or two are odd (for example, y and z) and the other one is even (for example, x). Since 2 450 has only one even prime factor, we are necessarily in the second case. We can assume that none of the Jansenists is one year old (in fact, we always have y x 1 or x y 1, i.e., y x+y+1 or x x+y+1 ). − ≥ − ≥ ≥ 2 ≥ 2 The triple (x, y, z) is equal (possibly after switching the roles of x, y, z) to one of the triples (72 5, 5, 2), (7 52 , 7, 2), (72, 52, 2), (7 5, 7 5, 2), (72 2, 5, 5), (52 2, 7, 7), × × × × × × (5 7 2, 5, 7), (5 2, 5, 72), (5 2, 5 7, 7), (7 2, 52, 7), (7 2, 5 7, 5). The sums x+y+z × × × × × × × × are respectively equal to 252, 184, 76, 72, 108, 64, 82, 64, 52, 46, 54. Only the fourth case is possible: x = y = 35, z = 2 (!) and l = 36.

Exercise 1.4.4 (Möbius function) r The Möbius function is the map µ : N× Z deﬁned by µ(1) = 1, µ(n) = ( 1) if n is the product of r distinct prime factors,→ and µ(n) = 0 if n possesses− a square factor. 1. Show that µ is a multiplicative arithmetic function, i.e., if m and n are coprime, then µ(mn) = µ(m)µ(n). ∞ µ(n) 6 2. Show that µ(d) = 1 if n = 1 and 0 otherwise. Deduce that = . n2 π2 d n n=1 X| X 3. Let f be a multiplicative arithmetic function. Show that f : n f(d) is 7→ d n n X| also multiplicative and that we have f(n) = µ(d)f .e This relation is d d n X| called the Möbius inversion formula. e µ(d) 4. Deduce the relation ϕ(n) = n . d d n X|

810151_.pdf 35 10/14/2016 10:52:43 AM 18 CHAPTER 1. ARITHMETIC AND THE SYMMETRIC GROUP

Solution 1. Let m, n N be two coprime integers greater than or equal to 2. If one of the two numbers ∈ × possesses a square factor, then so does the product mn. Otherwise, let rm (resp. rn) be the number of distinct prime factors of m (resp. n). Then µ(mn) = ( 1)rm+rn = ( 1)rm ( 1)rn , − − − i.e., µ(mn) = µ(m)µ(n), which shows that µ is multiplicative. 2. Let n N be an integer greater than or equal to 2, and let r be the number of prime ∈ × factors of n. The set of divisors of n can be written as C D, where C is the set of divisors that ⊔ r possess a square factor, and D the set of square-free divisors. Then we have D = k=0 Dk, where Dk is the set of divisors of n that possess k distinct prime factors. The cardinality` of Dk r r r is D = Ck. Then we have µ(d) = µ(j) = ( 1)k = Ck( 1)k = 0, | k| r − r − Xd n kX=1 jXD kX=1 jXD kX=1 | ∈ k ∈ k ∞ µ(n) ∞ 1 ∞ µ(n) 1 ∞ µ(n) ∞ thus = = = µ(1) + 0 = 1, hence n2 m2 n2 m2 p2 nX=1 mX=1 pX=1 mnX=p pX=1 Xn p pX=2 Xn p | | the expected result. 3. If f is multiplicative, and if m and n are coprime, then the divisors of mn are the numbers of the form ab where a m and b n, and in this way f is multiplicative. We have the equivalence | | n d n and k n k n and d n , thus µ(d)f = µ(d) f(k) = f(k) µ(d). | | d ⇔ | | k ed Xd n Xd n kXn Xk n dXn | e | | d | | k n According to question 2, µ(d) = 1 if k = 1 and 0 otherwise, hence the Möbius inversion dXn | k formula. 4. The Euler’s totient function is multiplicative, therefore, we can use question 3: the function ϕ is deﬁned by ϕ(n) = ϕ(d), i.e., ϕ(n) = n according to paragraph 1.1.2. Then we Xd n | e e n µ(d) e have ϕ(n) = µ(d)ϕ = n . d d Xd n Xd n | e |

Exercise 1.4.5 (Perfect numbers) A positive integer is said to be perfect if the sum of its proper positive divisors is equal to itself. For n N×, we denote by σ(n) the sum of positive divisors of n, so that n is perfect∈ if and only if σ(n) = 2n. 1. Show that if m and n are coprime, then we have σ(mn) = σ(m)σ(n). 2. Give an example of a perfect number. Show that if 2q 1 is a prime number, q 1 q − then 2 − (2 1) is a perfect number. − 8 q 1 q q 3. Show that an even perfect number is of the form 2 − (2 1), where 2 1 is a prime number. − − 4. Deﬁne a Maple function that determines if a positive integer n is perfect. Deduce a function that determines all the perfect numbers that are less than or equal to a given integer m. Find the list of all the perfect numbers less than or equal to 50 000.

8It is not known if there exist odd perfect numbers.

810151_.pdf 36 10/14/2016 10:52:43 AM 1.4. EXERCISES 19

Solution α1 αr 1. Let us write n as n = p1 . . . pr , where p1, . . . , pr are distinct prime numbers. Then we α +1 α1 αr r r j α p 1 i1 ir j j − have σ(n) = p1 . . . pr = (1 + pj + + pj ) = . This shows ··· ··· pj 1 iX1=0 iXr =0 jY=1 jY=1 − that if m and n are coprime, then we have σ(mn) = σ(m)σ(n). 2. The number 6 is a perfect number. Let us set n := 2q 1(2q 1). According to question 1, − − we have σ(n) = σ(2q 1)σ(2q 1) = (2q 1)2q = 2n since 2q 1 is prime, which shows that n − − − − is perfect. 3. Let n be an even perfect number. There exist q 2 and an odd integer m such ≥ that n = 2q 1m. As 2q 1 and m are coprime, we have σ(n) = σ(2q 1)σ(m) = (2q 1)σ(m). − − − − By hypothesis, σ(n) = 2n = 2qm, thus we have (2q 1)σ(m) = 2qm. Therefore, 2q 1 − − divides 2q m, hence m (Euclid’s lemma). Then there exists j N such that m = (2q 1)j. ∈ × − We deduce that (2q 1)σ(m) = 2q(2q 1)j, thus σ(m) = 2q j = m+j. If j 2, the number m − − ≥ has at least three distinct divisors, namely 1, j and m, hence σ(m) 1 + j + m, which is ≥ impossible. Consequently, j = 1, so that m = 2q 1 and σ(m) = m + 1. Then the only − divisors of m are 1 and m, and we are done. 4. We use the sigma function of the library numtheory that receives an integer and returns the sum of its divisors. perfect:=proc(n) if numtheory[sigma](n)-n=n then true else false fi; end proc: listperfects:=proc(m) local L,n; L:=[]: for n from 1 to m do if perfect(n) then L:=[op(L),n] fi: od: L; end proc: listperfects(50000); [6, 28, 496, 8128] −→

Exercise 1.4.6 (Symmetric group) Show that the transpositions of the form (1, j) for j [[2, n]] generate S . ∈ n Solution

We know that the transpositions generate Sn. Moreover, we have (i, j) = (1, j)(1, i)(1, j), therefore, the transpositions of the form (1, j) for j [[2, n]] generate Sn. ∈

Exercise 1.4.7 (Symmetric group) Let H be a subgroup of index n of Sn. Show that H is isomorphic to Sn 1. Hint: Consider two cases: n 4 and n 5. − ≤ ≥ Solution

If n = 1, 2 or 3, the result is obvious. For n = 4, if H is not isomorphic to S3, then H • is isomorphic to Z / 6Z, thus it is generated by an element of order 6, which is impossible

because S4 does not contain any element of order 6. Let us assume that n is greater than or equal to 5. The group Sn acts by translation on the • left on X := Sn /H, via the homomorphism ϕ : Sn S deﬁned by ϕ(x): σH xσH, → X 7→ and we have S Sn. Moreover, Ker(ϕ) is a normal subgroup of Sn, and as n 5, X ≃ ≥

810151_.pdf 37 10/14/2016 10:52:43 AM 20 CHAPTER 1. ARITHMETIC AND THE SYMMETRIC GROUP

Ker(ϕ) is isomorphic to id , An or Sn according to corollary 1.3.3. If Ker(ϕ) Sn, we { } ≃ have Im(ϕ) Sn / Ker(ϕ) id , which is a contradiction. If Ker(ϕ) An, then for ev- ≃ ≃ { } ≃ ery σ An, we have σH = H, thus σ H, hence An H, which is a contradiction for n > 2. ∈ ∈ ⊂ Finally, Ker(ϕ) id , and ϕ is a bijective map, thus ϕ(H) H. As H is the stabilizer of H ≃ { } ≃ in S (in fact, if h H, hH = H, and conversely, if σH = H, we have σ = σ id H), ϕ(H) X ∈ ∈ is the stabilizer of a single point in Sn, thus it is isomorphic to Sn 1. −

Exercise 1.4.8 (Symmetric group) We recall that given a ﬁeld K, the projective group PGLn(K) is the quotient of GLn(K) by its center, and that this center consists of homotheties of nonzero ratio. The projective plane, denoted by P(K2), is the set of lines of the plane passing through the origin.

Here we consider a ﬁnite ﬁeld of order q, denoted by Fq. Show that PGL2(Fq) is isomorphic to a subgroup of Sq+1. Hint: Use the natural action of GL2(Fq) 2 on P(Fq).

Solution GL P 2 GL The group 2(Fq) acts on (F ) via the homomorphism ϕ : 2(Fq ) SP F2 deﬁned q → ( q ) by ϕ(g)(D) = g(D). We have Ker(ϕ) = F×: in fact, we clearly have F× Ker(ϕ). Now q q ⊂ 2 let f Ker(ϕ), and let (x, y) be a basis of F . Then f(x) = λxx and f(y) = λyy. In the ∈ q same way, f(x + y) = λx+y(x + y), hence (λx+y λx)x + (λx+y λy)y = 0. As x and y − − are linearly independent, we have λx = λx+y = λy, and f is a homothety of nonzero ra-

tio. In this way, Ker(ϕ) = F×, and then ϕ(GL2(Fq)) GL2(Fq) / Ker(ϕ) GL2(Fq) / F×, q ≃ ≃ q GL PGL GL i.e., ϕ( 2(Fq)) 2(Fq ). Moreover, ϕ( 2(Fq )) is a subgroup of SP F2 that is iso- ≃ ( q ) morphic to Sq+1: in fact, a line of the plane passing through the origin being deﬁned by a 2 nonzero vector, there are Fq 1 possibilities, and since the Fq 1 collinear vectors provide | | − 2 2 | |− Fq 1 q 1 P F2 | | − the same line, we have ( q) = F 1 = q −1 = q + 1. | | | q |− −

Exercise 1.4.9 (Derived group) Given a group G, the derived group of G is the group generated by the elements 1 1 of the form xyx− y− for x, y G. We denote it by D(G). 1. Show that D(G) is normal in∈ G and that G/D(G) is abelian. 2. Show that if n 5, then D(A ) = A , and that if n 2, then D(S ) = A . ≥ n n ≥ n n Solution 1. We have the relations 1 1 1 1 1 1 1 1 1 g(xyx− y− )g− = (gxg− )(gyg− )(gx− g− )(gy− g− ) 1 1 1 1 1 1 = (gxg− )(gyg− )(gxg− )− (gyg− )− , thus g(xyx 1y 1)g 1 belongs to D(G). Hence D(G) is normal in G. Let x, y G/D(G), − − − ∈ 1 1 1 1 1 1 then x y x− y− = xyx− y− = id because xyx− y− belongs to D(G). Hence G/D(G) is abelian.

810151_.pdf 38 10/14/2016 10:52:43 AM 1.4. EXERCISES 21

1 1 2. We have ε(xyx y ) = 1, thus D(An) D(Sn) An. Let us take n 5. We know − − ⊂ ⊂ ≥ 2 that An is generated by the 3-cycles. Let c := (i, j, k) be such a 3-cycle. Then c = (i, k, j), 2 and as n 5, the 3-cycles are conjugated in An, thus c and c are conjugated in An, i.e., ≥ 2 1 1 1 there exists σ An such that c = σcσ , i.e., c = σcσ c . Hence c belongs to D(An), ∈ − − − and we have An D(An). Then we deduce that D(Sn) = An for n 5. Finally, we verify ⊂ ≥ that we have An D(Sn) for n = 2, 3, 4: in fact, for n 3, the 3-cycles generate An, and ⊂ ≥ 1 1 we have (i, j, k) = (i, j)(i, k)(i, j) (i, k) D(Sn). − − ∈

810151_.pdf 39 10/14/2016 10:52:43 AM MATHEMATICS Butin

Algebra ALGEBRA Polynomials, Galois Theory and Applications Frédéric Butin

Suitable for advanced undergraduates and graduate students in mathematics and computer science, this

precise, self-contained treatment of Galois theory features Polynomials, Applications and Galois Theory detailed proofs and complete solutions to exercises. Originally published in French as Algèbre — Polynômes, théorie de Galois et applications informatiques, this 2017 Dover Aurora edition marks the volume’s first English- language publication.

The three-part treatment begins by providing the essential introduction to Galois theory. The second part is devoted to the algebraic, normal, and separable Galois extensions that constitute the center of the theory and examines abelian, cyclic, cyclotomic, and radical extensions. This section enables readers to acquire a comprehensive understanding of the Galois group of a polynomial. The third part deals with applications of Galois theory, including excellent discussions of several important real-world applications of these ideas, including cryptography and error- control coding theory. Symbolic computation via the Maple computer algebra system is incorporated throughout the text (though other software of symbolic computation could be used as well), along with a large number of very interesting exercises with full solutions.

$34.95 USA PRINTED IN THE USA ISBN-13: 978-0-486-81015-7 ISBN-10: 0-486-81015-1 53495

www.doverpublications.com 9 780486 810157

81015-1 CvrPD1116.indd 1 11/11/16 11:54 AM